HashiCorpHashiCorp
VAULT-ASSOCIATE-002 · Question #81
VAULT-ASSOCIATE-002 Question #81: Real Exam Question with Answer & Explanation
The correct answer is A: PKI. The PKI secrets engine is best suited for replacing long-lived X.509 certificates as it dynamically generates short-lived certificates with configurable TTLs.
Submitted by kavita_s· Apr 18, 2026Understand Vault Concepts
Question
Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?
Options
- APKI
- BKey/Value secrets engine version 2, with TTL defined
- CCloud KMS
- DTransit
Explanation
The PKI secrets engine is best suited for replacing long-lived X.509 certificates as it dynamically generates short-lived certificates with configurable TTLs.
Common mistakes.
- B. The Key/Value (KV) secrets engine version 2 can store arbitrary data and manage its versions and TTLs, but it does not have the capability to dynamically generate X.509 certificates.
- C. Cloud KMS (Key Management Service) is used for managing cryptographic keys and performing encryption operations in cloud environments, not for issuing X.509 certificates.
- D. The Transit secrets engine provides "cryptography as a service" for encrypting and decrypting data without exposing the raw encryption key, but it is not designed to issue X.509 certificates.
Concept tested. Vault PKI secrets engine for dynamic X.509 certificates
Reference. https://developer.hashicorp.com/vault/docs/secrets/pki
Topics
#PKI Secrets Engine#X.509 Certificates#Short-lived Certificates#Secrets Engines
Community Discussion
No community discussion yet for this question.